cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

RE: [[cat-users]] Certificate provided by linux script does not work

From: Carlos de Manuel Clemente <Carlos.deManuel AT uclm.es>
To: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
Cc: Julián de la Morena Borja <Julian.delaMorena AT uclm.es>
Subject: RE: [[cat-users]] Certificate provided by linux script does not work
Date: Mon, 12 Feb 2024 10:19:18 +0000
Accept-language: es-ES, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uclm.es; dmarc=pass action=none header.from=uclm.es; dkim=pass header.d=uclm.es; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MlkAdzV3cagnA4MJnfBCXsCzIFvC6zQvPw+TFEdHxgs=; b=HzmhRbyIhB0rJyMjEnZckpdvL4FNbIKlnqtvore6VoXrCzrNynWor5LcP+bCcR7WnGjdHRxiy1pwNIrx6lvZ4AnzB78nTqdBOlK1bjJPmFA/wBWEkeNkk1cZrpx/jxxPwR6AA5bXdzjeguYZ6s9W7dfJm+H6O/HBdDhUWFHVG7iNeBdWbppBrV5csDWIFHtqWSk23teG/d2G+miw6cQdYu8l0DRn52kSbWYOZNz3zklQWww2hixM+FTxwuSW2ec+esojBYJSIOBEazrVBFjuL343R1+f/2sFZGWvojQf99BqflUz2tDj0tqeMIu88CxUI2gLSkN08V2K9NHyIFXZ7g==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FXt5XCmWNLNjnc6z+57BYA3iaQ0GCOijHRcO/MWJuD2zwZDDU62VPmQmdrJCxQrm0xUukfqXG1Vz4XLb1916+Nf+0Jqn5iuyjssAgpA9XN7qbrF3K9NBWUFfJjpt9tKLla9sP/6+EQsIn/+cjfBpz53hnCxz5Qs15+6m4rXN6Nj6fEZpdiVPJgjPTWrzR2cqhfi6f5O9CMKQUBIIjwEg6zGdcPAm9Gnud7f2DJays00cybsKihtQVBiNfjAAqYEo1KiSunM3hxAKqQKi+TuEx/4pFuPBbZW4NBNaU3rbVZQAQGqXcNKSn8V3g1W8/eXh6gOQgiIBjnJTs0iJtMmCQg==
Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uclm.es;
Msip_labels:

Sorry. I sent you the ca.pem that I had modified by deleting the last line.

I am sending you again the original ca.pem file that generates the script.

The system where I am testing is a clean ubuntu, freshly installed version 22.04.1

I confirm that if I run the script, it generates the ca.pem like the one attached and the connection fails. If in the ubuntu system I modify the ca.pem file by deleting the last line in soft, then it connects correctly.

Regards.


	Carlos de Manuel Clemente Técnico I - Analista de Sistemas y Redes RECTORADO DE LA U.C.L.M. \| Edificio CTIC C/ Altagracia, 50 \| 13003 Ciudad Real Tfno: 926 295 202 \| Móvil: 680 222 092 \| Correo: Carlos.deManuel AT uclm.es Mensaje Instantáneo \| https://www.linkedin.com/in/carlosdemanuel/

Por favor, no imprima este documento si no es estrictamente necesario. Cuidar el medioambiente es responsabilidad de todos.
Este mensaje de correo electrónico puede contener información confidencial de la UCLM, siendo para uso exclusivo del destinatario.
Si usted lo ha recibido por error y no es el destinatario del mensaje, le rogamos que no difunda su contenido y lo comunique al remitente.

Please do not print this document unless absolutely necessary. Environmental protection is in our hands.
This e-mail may contain confidential information of the UCLM and is exclusively intended for the addressee.
If you have received it by mistake and are not the intended recipient, do not send the contents and please notify the sender.

De: Tomasz Wolniewicz
Enviado: Lunes, 12 de Febrero de 2024 10:41
Para: Carlos de Manuel Clemente; cat-users AT lists.geant.org
CC: Julián de la Morena Borja
Asunto: Re: [[cat-users]] Certificate provided by linux script does not work

Interesting, when I save them they come out exactly identical. This could be the problem of the mail client.

Still I believe tht on your side the difference is in the newline after the final line.

I find it hard to believe that any tool could complain about an extra line or actually any extra text outside of the cert boundaries.

Can you provide some details abut the system that is causing that?

Cheers

Tomasz

W dniu 12.02.2024 o 09:09, Carlos de Manuel Clemente pisze:

Hi.

Sorry, I forgot attached the files. (I changed extension crt by mycrt)

Here you are the files.

Paul, thanks for the advice. I'll try geteduroam and let you know.

Regards.

Carlos de Manuel Clemente
Técnico I - Analista de Sistemas y Redes
RECTORADO DE LA U.C.L.M. | Edificio CTIC C/ Altagracia, 50 | 13003 Ciudad Real
Tfno: 926 295 202  | Móvil: 680 222 092  | Correo: Carlos.deManuel AT uclm.es
Mensaje Instantáneo  |   https://www.linkedin.com/in/carlosdemanuel/

Por favor, no imprima este documento si no es estrictamente necesario. Cuidar el medioambiente es responsabilidad de todos.
Este mensaje de correo electrónico puede contener información confidencial de la UCLM, siendo para uso exclusivo del destinatario.
Si usted lo ha recibido por error y no es el destinatario del mensaje, le rogamos que no difunda su contenido y lo comunique al remitente.

Please do not print this document unless absolutely necessary. Environmental protection is in our hands.
This e-mail may contain confidential information of the UCLM and is exclusively intended for the addressee.
If you have received it by mistake and are not the intended recipient, do not send the contents and please notify the sender.

De: Tomasz Wolniewicz
Enviado: Viernes, 09 de Febrero de 2024 19:00
Para: Carlos de Manuel Clemente; cat-users AT lists.geant.org
CC: Julián de la Morena Borja
Asunto: Re: [[cat-users]] Certificate provided by linux script does not work

Hi,

you have omitted the attachments.

Of course, I can confirm that the script does add this empty line after the

-----END CERTIFICATE-----
line, however no parser should care about what is outside the BEGIN/END lines.

I have just tried Ubuntu 23.10 with NetworkManager/wpa_supplicant and this works for me without any problems.

Could you let me know what suplicant tools are active on the machine that is causing problems.

Cheers

Tomasz

W dniu 9.02.2024 o 14:43, Carlos de Manuel Clemente (via cat-users Mailing List) pisze:

Hello

Certificate provided by linux script does not work

Organization: University of Castilla-La Mancha

Administrator: carlos.demanuel AT gmail.com

Affected profiles: all

Operating system: Linux

We have detected that computers with linux (specifically we have tested with Linux Mint and Ubuntu) do not connect correctly with eduroam after executing the configuration script downloaded from https://cat.eduroam.org.

We have noticed that the linux installer incorporates the ca.pem certificate that includes an empty line after the "End Certificate" line. Removing that empty line the equipment connects correctly.

I attach both files. CA.pem provided by the installer, and radius-eduroam2023.crt which is the one we provide for manual configuration and for the installer profile.

This line added at the end causes a connection failure on Ubuntu computers.

Our RADIUS alert is: EAP-PEAP: fatal alert by client - internal_error

eap-tls: Error in establishing TLS session.

I am not aware of any other devices being affected. I also don't know since when this problem has been happening.

Can you make the script generate the ca.pem file without the last empty line? Or tell me another solution if there is one.

Thank you.

Best regards

Carlos de Manuel Clemente
Técnico I - Analista de Sistemas y Redes
RECTORADO DE LA U.C.L.M. | Edificio CTIC C/ Altagracia, 50 | 13003 Ciudad Real
Tfno: 926 295 202  | Móvil: 680 222 092  | Correo: Carlos.deManuel AT uclm.es
Mensaje Instantáneo  |   https://www.linkedin.com/in/carlosdemanuel/

Por favor, no imprima este documento si no es estrictamente necesario. Cuidar el medioambiente es responsabilidad de todos.
Este mensaje de correo electrónico puede contener información confidencial de la UCLM, siendo para uso exclusivo del destinatario.
Si usted lo ha recibido por error y no es el destinatario del mensaje, le rogamos que no difunda su contenido y lo comunique al remitente.

Please do not print this document unless absolutely necessary. Environmental protection is in our hands.
This e-mail may contain confidential information of the UCLM and is exclusively intended for the addressee.
If you have received it by mistake and are not the intended recipient, do not send the contents and please notify the sender.

To unsubscribe, send this message: mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
Or use the following link: https://lists.geant.org/sympa/sigrequest/cat-users
-- Tomasz Wolniewicz

-- Tomasz Wolniewicz

Attachment: ca.pem
Description: ca.pem

Attachment: eduroam-linux-UdCM-Personal_UCLM.zip
Description: eduroam-linux-UdCM-Personal_UCLM.zip

[[cat-users]] Certificate provided by linux script does not work, Carlos de Manuel Clemente, 02/09/2024
- Re: [[cat-users]] Certificate provided by linux script does not work, Paul Dekkers, 02/09/2024
- Re: [[cat-users]] Certificate provided by linux script does not work, Tomasz Wolniewicz, 02/09/2024
- Re: [[cat-users]] Certificate provided by linux script does not work, Tomasz Wolniewicz, 02/09/2024
  - RE: [[cat-users]] Certificate provided by linux script does not work, Carlos de Manuel Clemente, 02/12/2024
    - Re: [[cat-users]] Certificate provided by linux script does not work, Tomasz Wolniewicz, 02/12/2024
      - RE: [[cat-users]] Certificate provided by linux script does not work, Carlos de Manuel Clemente, 02/12/2024